|
Time |
Victim OS |
Infection Source |
C&C Server |
DNS Lookups & Failed Connects |
Infection Port |
Packet Trace |
Detection Signatures |
Infection Chatter |
BotHunter Analysis |
Behavioral Cluster |
Forensic Logs |
Antivirus Labels |
Packed Malware_Binary |
Unpacked egg.exe |
Unpacked egg.asm |
Packer PEID |
Data Strings |
Syscall Trace |
| T:00:10:00 | Win2K-f | 65.6.132.38 (BELLSOUTH.NET): BELLSOUTH.NET INC, ATLANTA, GEORGIA, US. (DSL) |
n/a | US:microsoft.com | 135 | pcap | raw alerts ruleset |
other 89 lines |
Yeah : 1.3 profile |
none | summary tarball |
33 of 33 0 of 33 |
53bfe15e91 NEW a08f3b74a4 NEW |
1473091351 [0] none [0] |
ASM:Graph none:none |
tElock| Armadillo| |
lines=75 embedded dns lines=90 |
trace trace |
| T:00:31:00 | Win2K-f | 24.80.166.120 (SHAWCABLE.NET): SHAW COMMUNICATIONS INC, VANCOUVER, BRITISH COLUMBIA, CA. (DSL) |
n/a | CN:irc.zief.pl CN:av.lometr.pl CN:down1130.iwillhavesexygirls.com EU:pozeml.com :pozemle.cn CN:210.51.36.215:88 93.174.92.220:80 |
135 | pcap | raw alerts ruleset |
http 347 lines |
Yeah : 1.3 profile |
none | summary tarball |
11 of 41 34 of 40 28 of 41 |
a2ce42b73d NEW a72398081f NEW c125dd19c3 NEW |
none[none] 3f0ad45d1c[0] none [none] |
none:none none:none none:none |
none|none tElock| none|none |
none none none |
none trace none |
| T:00:50:00 | Win2K-f | 219.121.75.173 (WAKWAK.NE.JP): XEPHION(NTT-ME CORPORATION), TOKYO, TOKYO, JP. (DSL) |
n/a | CN:irc.zief.pl CN:down1130.iwillhavesexygirls.com EU:pozeml.com :pozemle.cn CN:210.51.36.215:88 US:72.20.40.25:555 93.174.92.220:80 |
445 | pcap | raw alerts ruleset |
http 11 lines |
Argh : 0.3 profile |
none | summary tarball |
11 of 41 | a2ce42b73d NEW |
none[none] | none:none |
none|none | none | none |
| 01:05:00 | Win2K-f | 59.117.160.69 (HINET.NET): CHUNGHWA TELECOM DATA COMMUNICATION BUSINESS GROUP, TAIPEI, T'AI-PEI, TW. (DSL) |
n/a | US:www.maxmind.com US:www.getmyip.org :checkip.dyndns.org EU:getmyip.co.uk DE:131.220.6.26:80 208.78.70.70:80 US:75.126.138.202:80 EU:78.40.35.134:80 |
445 | pcap | raw alerts ruleset |
http 4 lines |
Yeah : 0.8 profile |
none | summary tarball |
2 of 37 | 409ef22885 NEW |
none[3] | none:none |
UPX| | none | trace |
| T:01:14:00 | Win2K-f | 59.117.160.69 (HINET.NET): CHUNGHWA TELECOM DATA COMMUNICATION BUSINESS GROUP, TAIPEI, T'AI-PEI, TW. (DSL) |
n/a | US:www.maxmind.com :checkip.dyndns.org DE:131.220.6.26:80 US:67.15.94.80:80 |
445 | pcap | raw alerts ruleset |
http 3 lines |
Yeah : 0.8 profile |
none | summary tarball |
2 of 37 | 409ef22885 NEW |
none[3] | none:none |
UPX| | none | trace |
| T:02:11:00 | Win2K-f | 125.4.0.231 (ZAQ.NE.JP): J:COM WEST CO. LTD, OSAKA, OSAKA, JP. (DSL) |
n/a | US:microsoft.com | 135 | pcap | raw alerts ruleset |
other 75 lines |
Yeah : 1.3 profile |
none | summary tarball |
0 of 32 33 of 33 |
07fabc79ef NEW 53bfe15e91 NEW |
none[0] 1473091351[0] |
ASM:Graph ASM:Graph |
Armadillo| tElock| |
lines=81 lines=75 embedded dns |
trace trace |
| T:03:10:00 | WinXP | 202.137.187.169 (CCNET-AI.NE.JP): COMMUNITY NETWORK CENTER INC, TOYOKAWA, AICHI, JP. (DSL) |
n/a | US:microsoft.com | 135 | pcap | raw alerts ruleset |
other 79 lines |
Yeah : 1.3 profile |
none | summary tarball |
0 of 32 33 of 33 |
07fabc79ef NEW 53bfe15e91 NEW |
none[0] 1473091351[0] |
ASM:Graph ASM:Graph |
Armadillo| tElock| |
lines=81 lines=75 embedded dns |
trace trace |
| T:04:56:00 | Win2K-f | 65.6.132.38 (BELLSOUTH.NET): BELLSOUTH.NET INC, ATLANTA, GEORGIA, US. (DSL) |
n/a | US:microsoft.com | 135 | pcap | raw alerts ruleset |
other 117 lines |
Yeah : 1.3 profile |
none | summary tarball |
33 of 33 0 of 33 |
53bfe15e91 NEW a08f3b74a4 NEW |
1473091351 [0] none [0] |
ASM:Graph none:none |
tElock| Armadillo| |
lines=75 embedded dns lines=90 |
trace trace |
| T:05:00:00 | WinXP | 61.221.237.252 (-): HUNG REN SHIN IE CO. LTD. PINGTUNG BRANCH COMPANY, TAIPEI, T'AI-PEI, TW. (100Mbps) |
n/a | 135 | pcap | raw alerts ruleset |
other 1002 lines |
Yeah : 1.3 profile |
none | summary tarball |
17 of 41 | e1693609f9 NEW |
none[3] | none:none |
none|none | none | trace | |
| T:05:01:00 | Win2K-f | 119.161.113.131 (KCN-TV.NE.JP): KUMAMOTO CABLE NETWORK CORPORATION, KUMAMOTO, KUMAMOTO, JP. (DSL) |
n/a | 135 | pcap | raw alerts ruleset |
other 1 line |
Argh : 0.3 profile |
none | summary tarball |
none | none | none | none | none | none | none | |
| 05:24:00 | WinXP | 151.100.46.71 (-): UNIVERSITA' DEGLI STUDI DI ROMA LA SAPIENZA, ROME, LAZIO, IT. (DSL) |
n/a | RU:citi-bank.ru RU:213.219.245.212:80 |
445 | pcap | raw alerts ruleset |
http 1 line |
Yeah : 0.8 profile |
none | summary tarball |
33 of 35 | e9fcd6f257 NEW |
2e05bc2272 [0] | ASM:Graph |
PolyEnE| | lines=68 | trace |
| T:05:28:00 | Win2K-f | 96.8.163.139 (GVTC.COM): GUADALUPE VALLEY TELEPHONE COOPERATIVE INC, NEW BRAUNFELS, TEXAS, US. (DSL) |
n/a | US:microsoft.com | 135 | pcap | raw alerts ruleset |
other 75 lines |
Yeah : 1.3 profile |
none | summary tarball |
33 of 33 0 of 33 |
53bfe15e91 NEW a08f3b74a4 NEW |
1473091351 [0] none [0] |
ASM:Graph none:none |
tElock| Armadillo| |
lines=75 embedded dns lines=90 |
trace trace |
| T:07:45:00 | WinXP | 208.101.225.12 (MNCABLE.NET): SJOBERG CABLE, THIEF RIVER FALLS, MINNESOTA, US. (DSL) |
n/a | :moscow-advokat.ru | 445 | pcap | raw alerts ruleset |
other 0 lines |
Yeah : 0.8 profile |
none | summary tarball |
37 of 39 | a79d6619a4 NEW |
ee99188e6d [0] | none:none |
tElock| | none | trace |
| T:08:00:00 | WinXP | 112.200.57.9 (PLDT.NET): IPG, LAS PINAS CITY, MANILA, PH. (DSL) |
n/a | US:gg.arrancar.org US:72.20.40.25:555 |
135 | pcap | raw alerts ruleset |
other 711 lines |
Yeah : 1.3 profile |
none | summary tarball |
39 of 41 | c65873f7b6 NEW |
none[none] | none:none |
none|none | none | none |
| T:08:10:00 | Win2K-f | 174.6.21.151 (SHAWCABLE.NET): SHAW COMMUNICATIONS INC, WINNIPEG, MANITOBA, CA. (DSL) |
n/a | US:microsoft.com | 135 | pcap | raw alerts ruleset |
other 75 lines |
Yeah : 1.3 profile |
none | summary tarball |
33 of 33 0 of 33 |
53bfe15e91 NEW a08f3b74a4 NEW |
1473091351 [0] none [0] |
ASM:Graph none:none |
tElock| Armadillo| |
lines=75 embedded dns lines=90 |
trace trace |
| T:09:02:00 | WinXP | 87.57.133.248 (DSL.TELE.DK): TDC-TELEDANMARK-BREDBAANDSADSL-NET, ÅRHUS, ARHUS, DK. (DSL) |
n/a | RU:citi-bank.ru RU:213.219.245.212:80 |
445 | pcap | raw alerts ruleset |
http 3 lines |
Yeah : 0.8 profile |
none | summary tarball |
38 of 40 | 624d43be60 NEW |
3caff61b75 [0] | ASM:Graph |
PolyEnE| | lines=68 | trace |
| T:09:06:00 | Win2K-f | 24.48.150.239 (SPEAKEASY.NET): WEST PALM BEACH, FLORIDA, US. (DSL) |
n/a | 135 | pcap | raw alerts ruleset |
other 18 lines |
Yeah : 1.3 profile |
none | summary tarball |
none | none | none | none | none | none | none | |
| 09:19:00 | WinXP | 208.101.225.12 (MNCABLE.NET): SJOBERG CABLE, THIEF RIVER FALLS, MINNESOTA, US. (DSL) |
n/a | :moscow-advokat.ru | 445 | pcap | raw alerts ruleset |
other 0 lines |
Yeah : 0.8 profile |
none | summary tarball |
37 of 39 | a79d6619a4 NEW |
ee99188e6d [0] | none:none |
tElock| | none | trace |
| T:10:12:00 | Win2K-f | 122.146.252.192 (SPARQNET.NET): NEW CENTRY INFOCOM TECH. CO. LTD, TAIPEI, T'AI-PEI, TW. (DSL) |
n/a | 135 | pcap | raw alerts ruleset |
other 19 lines |
Yeah : 1.3 profile |
none | summary tarball |
none | none | none | none | none | none | none | |
| 10:46:00 | Win2K-f | 59.125.210.63 (HINET.NET): CHTD CHUNGHWA TELECOM CO. LTD, TAIPEI, T'AI-PEI, TW. (100Mbps) |
n/a | US:www.maxmind.com EU:getmyip.co.uk GB:www.vouchercodez.com US:www.getmyip.org :checkip.dyndns.org 208.78.70.70:80 US:67.15.94.80:80 GB:80.82.121.239:80 |
445 | pcap | raw alerts ruleset |
http 3 lines |
Yeah : 0.8 profile |
none | summary tarball |
3 of 37 | d9cb288f31 NEW |
45603a001c [0] | ASM:Graph |
UPX| | lines=174 embedded dns |
trace |
| T:10:55:00 | Win2K-f | 59.125.210.63 (HINET.NET): CHTD CHUNGHWA TELECOM CO. LTD, TAIPEI, T'AI-PEI, TW. (100Mbps) |
n/a | US:www.maxmind.com :checkip.dyndns.org DE:131.220.6.26:80 US:67.15.94.80:80 |
445 | pcap | raw alerts ruleset |
http 3 lines |
Yeah : 0.8 profile |
none | summary tarball |
3 of 37 | d9cb288f31 NEW |
45603a001c [0] | ASM:Graph |
UPX| | lines=174 embedded dns |
trace |
| T:12:16:00 | WinXP | 87.228.47.214 (-): INFOLINE ZAO, MOSCOW, MOSCOW CITY, RU. (DSL) |
n/a | EU:siliconfireware.ru :wpad US:searchportal.information.com GB:welcome3.smile.co.uk US:208.73.210.125:80 |
445 | pcap | raw alerts ruleset |
http http 2 lines |
Yeah : 0.8 profile |
none | summary tarball |
29 of 29 | a12cab51ef NEW |
none[0] | none:none |
ASPack| | lines=281 embedded dns |
trace |
| T:12:19:00 | Win2K-f | 173.20.140.66 (MCHSI.COM): MEDIACOM COMMUNICATIONS CORP, ALBANY, GEORGIA, US. (DSL) |
n/a | US:microsoft.com | 135 | pcap | raw alerts ruleset |
other 110 lines |
Yeah : 1.3 profile |
none | summary tarball |
40 of 41 39 of 41 |
5e3a9c2d9d NEW 630308d06b NEW |
dbc48b815a [0] 847d302e37[0] |
none:none none:none |
tElock| Armadillo| |
none none |
trace trace |
| T:12:40:00 | Win2K-f | 76.92.215.61 (RR.COM): ROAD RUNNER HOLDCO LLC, OVERLAND PARK, KANSAS, US. (100Mbps) |
n/a | US:microsoft.com | 135 | pcap | raw alerts ruleset |
other 75 lines |
Yeah : 1.3 profile |
none | summary tarball |
33 of 33 0 of 32 |
53bfe15e91 NEW 73f1082158 NEW |
1473091351 [0] none [0] |
ASM:Graph none:none |
tElock| Armadillo| |
lines=75 embedded dns lines=90 |
trace trace |
| 14:13:00 | Win2K-f | 217.159.130.85 (ESTPAK.EE): ESTONIANMATCH LTD, TARTU, TARTUMAA, EE. (100Mbps) |
n/a | US:www.maxmind.com US:www.getmyip.org :checkip.dyndns.org EU:getmyip.co.uk 208.78.70.70:80 US:67.15.94.80:80 US:75.126.138.202:80 EU:78.40.35.134:80 |
445 | pcap | raw alerts ruleset |
http 1 line |
Yeah : 0.8 profile |
none | summary tarball |
3 of 37 | d9cb288f31 NEW |
45603a001c [0] | ASM:Graph |
UPX| | lines=174 embedded dns |
trace |
| T:14:22:00 | Win2K-f | 217.159.130.85 (ESTPAK.EE): ESTONIANMATCH LTD, TARTU, TARTUMAA, EE. (100Mbps) |
n/a | US:www.maxmind.com US:www.getmyip.org EU:getmyip.co.uk GB:www.vouchercodez.com :checkip.dyndns.org DE:131.220.6.26:80 US:67.15.94.80:80 US:75.126.138.202:80 GB:80.82.121.239:80 |
445 | pcap | raw alerts ruleset |
http 4 lines |
Yeah : 0.8 profile |
none | summary tarball |
3 of 37 | d9cb288f31 NEW |
45603a001c [0] | ASM:Graph |
UPX| | lines=174 embedded dns |
trace |
| T:14:33:00 | Win2K-f | 63.26.244.47 (UU.NET): UUNET TECHNOLOGIES INC, STEWARTVILLE, MINNESOTA, US. (DSL) |
n/a | US:microsoft.com | 135 | pcap | raw alerts ruleset |
other 75 lines |
Yeah : 1.3 profile |
none | summary tarball |
33 of 33 0 of 32 |
53bfe15e91 NEW 73f1082158 NEW |
1473091351 [0] none [0] |
ASM:Graph none:none |
tElock| Armadillo| |
lines=75 embedded dns lines=90 |
trace trace |
| T:15:22:00 | Win2K-f | 216.211.244.213 (NORWOODLIGHT.COM): NORWOOD LIGHT BROADBAND, NORWOOD, MASSACHUSETTS, US. (DSL) |
n/a | 135 | pcap | raw alerts ruleset |
other 10 lines |
Yeah : 1.3 profile |
none | summary tarball |
none | none | none | none | none | none | none | |
| T:15:55:00 | WinXP | 93.102.216.174 (REV.OPTIMUS.PT): OPTIMUS PORTUGAL, PT. (DSL) |
n/a | :www.google.com.au US:www.altavista.com :jbeegvia.ru |
445 | pcap | raw alerts ruleset |
http 1 line |
Yeah : 0.8 profile |
none | summary tarball |
31 of 32 | 17028f1eda NEW |
none[3] | none:none |
tElock| | none | trace |
| T:17:30:00 | Win2K-f | 72.251.36.156 (1DIAL.COM): AD-BASE SYSTEMS INC. (DBA GLOBALPOPS), NEW KENSINGTON, PENNSYLVANIA, US. (DIAL) |
n/a | 135 | pcap | raw alerts ruleset |
other 4 lines |
Yeah : 0.8 profile |
none | summary tarball |
none | none | none | none | none | none | none | |
| T:17:44:00 | Win2K-f | 71.111.211.231 (VERIZON.NET): VERIZON INTERNET SERVICES INC, DURHAM, NORTH CAROLINA, US. (DSL) |
n/a | US:microsoft.com | 135 | pcap | raw alerts ruleset |
other 75 lines |
Yeah : 1.3 profile |
none | summary tarball |
33 of 33 0 of 33 |
53bfe15e91 NEW a08f3b74a4 NEW |
1473091351 [0] none [0] |
ASM:Graph none:none |
tElock| Armadillo| |
lines=75 embedded dns lines=90 |
trace trace |
| T:18:21:00 | WinXP | 116.89.141.66 (-): VIBO TELECOM INC, TAIPEI, T'AI-PEI, TW. (DSL) |
n/a | NL:proxim.ntkrnlpa.info RU:citi-bank.ru RU:213.219.245.212:80 NL:83.68.16.30:80 |
445 | pcap | raw alerts ruleset |
http 1 line |
Yeah : 0.8 profile |
none | summary tarball |
40 of 41 | cf346981b5 NEW |
2eb6c94f0a [none] | none:none |
PolyEnE| | none | trace |
| T:19:03:00 | WinXP | 190.208.73.66 (-): TELMEX CHILE S.A HFC, SANTIAGO, REGION METROPOLITANA, CL. (DSL) |
n/a | :moscow-advokat.ru | 445 | pcap | raw alerts ruleset |
http 1 line |
Yeah : 0.8 profile |
none | summary tarball |
39 of 40 | 2aee34a1ff NEW |
b27c29d041 [none] | none:none |
PolyEnE| | none | trace |
| T:19:22:00 | Win2K-f | 96.49.132.250 (SHAWCABLE.NET): SHAW COMMUNICATIONS INC, WINNIPEG, MANITOBA, CA. (DSL) |
n/a | US:microsoft.com | 135 | pcap | raw alerts ruleset |
other 75 lines |
Yeah : 1.3 profile |
none | summary tarball |
33 of 33 0 of 33 |
53bfe15e91 NEW a08f3b74a4 NEW |
1473091351 [0] none [0] |
ASM:Graph none:none |
tElock| Armadillo| |
lines=75 embedded dns lines=90 |
trace trace |
| T:19:24:00 | WinXP | 95.124.16.97 (-): 1AND, DE. (DSL) |
n/a | RU:citi-bank.ru | 445 | pcap | raw alerts ruleset |
http 1 line |
Yeah : 0.8 profile |
none | summary tarball |
40 of 41 | f45285574e NEW |
d984958bf9 [none] | none:none |
PolyEnE| | none | trace |
| T:19:27:00 | Win2K-f | 110.12.12.206 (-): HANARO TELECOM, SEOUL, SEOUL-T'UKPYOLSI, KR. (DSL) |
n/a | US:microsoft.com | 135 | pcap | raw alerts ruleset |
other 113 lines |
Yeah : 1.3 profile |
none | summary tarball |
5 of 41 40 of 41 |
ad089c4cb1 NEW d14cb229a1 NEW |
none[none] none [none] |
none:none none:none |
none|none none|none |
none none |
none none |
| T:19:50:00 | Win2K-f | 216.211.244.213 (NORWOODLIGHT.COM): NORWOOD LIGHT BROADBAND, NORWOOD, MASSACHUSETTS, US. (DSL) |
n/a | 135 | pcap | raw alerts ruleset |
other 10 lines |
Yeah : 1.3 profile |
none | summary tarball |
none | none | none | none | none | none | none | |
| T:20:53:00 | WinXP | 114.205.153.140 (-): HANARO TELECOM, SEOUL, SEOUL-T'UKPYOLSI, KR. (DSL) |
218.93.201.51:65520 | FR:proxim.ircgalaxy.pl US:microsoft.com CN:down1130.iwillhavesexygirls.com EU:pozeml.com :pozemle.cn CN:210.51.36.215:88 CN:218.93.201.51:65520 93.174.92.220:80 |
135 | pcap | raw alerts ruleset |
irc http 145 lines |
Yeah : 1.8 profile |
none | summary tarball |
39 of 41 11 of 41 38 of 40 |
5f62cd8acb NEW a2ce42b73d NEW c9d70eb4bf NEW |
none[none] none [none] none [none] |
none:none none:none none:none |
none|none none|none none|none |
none none none |
none none none |
| T:21:04:00 | Win2K-f | 70.182.243.177, 210.51.36.215 (INVALID IPV4 ADDRESS): INVALID IPV4 ADDRESS, INVALID IPV4 ADDRESS, INVALID IPV4 ADDRESS, INVALID IPV4 ADDRESS. (INVALID IPV4 ADDRESS) |
88.198.228.238:65520 | US:microsoft.com FR:proxim.ircgalaxy.pl CN:av.lometr.pl CN:down1130.iwillhavesexygirls.com EU:pozeml.com :pozemle.cn CN:1130.kfgrtjer.cn :bfkq.com :jsactivity.com US:mjjia.cn :braverhotels.com CN:hotelseas.com US:search.toptravellingtips.com US:66.96.221.101:80 93.174.92.220:80 |
135 | pcap | raw alerts ruleset |
irc http 213 lines |
Yeah : 1.8 profile |
none | summary tarball |
16 of 39 13 of 41 39 of 41 3 of 40 0 of 41 11 of 41 28 of 41 14 of 41 38 of 41 |
1b18aa5393 NEW 3e6e748549 NEW 55067eaeb2 NEW 78ba671465 NEW 851164e199 NEW a2ce42b73d NEW c125dd19c3 NEW c851a1ea41 NEW d441b3f319 NEW |
none[none] none [none] b625785b95[0] none [none] none [none] none [none] none [none] none [none] e33b328c50[0] |
none:none none:none none:none none:none none:none none:none none:none none:none none:none |
none|none none|none PolyEnE| none|none none|none none|none none|none none|none Armadillo| |
none none none none none none none none none |
none none trace none none none none none trace |
| 21:53:00 | WinXP | 64.188.199.141 (-): WINDJAMMER COMMUNICATIONS LLC, BOSTON, MASSACHUSETTS, US. (DSL) |
n/a | RU:citi-bank.ru RU:213.219.245.212:80 |
445 | pcap | raw alerts ruleset |
http 2 lines |
Yeah : 0.8 profile |
none | summary tarball |
39 of 41 | d8040f84d4 NEW |
d683995e84 [0] | none:none |
PolyEnE| | none | trace |
| T:21:58:00 | Win2K-f | 117.55.23.180 (E-MOBILE.NE.JP): EMOBILE LTD, TOKYO, TOKYO, JP. (DSL) |
n/a | US:lawscheme.com :a.collective-media.net US:ad.yieldmanager.com :picturemin.com US:www.comparedby.us US:64.151.68.234:80 |
445 | pcap | raw alerts ruleset |
http http http 37 lines |
Argh : 0.3 profile |
none | summary tarball |
0 of 41 | db0e25d2a2 NEW |
none[none] | none:none |
none|none | none | none |
| 22:44:00 | Win2K-f | 118.170.208.217 (HINET.NET): CHUNGHWA TELECOM DATA COMMUNICATION BUSINESS GROUP, TAIPEI, T'AI-PEI, TW. (DSL) |
n/a | US:www.maxmind.com :checkip.dyndns.org EU:getmyip.co.uk US:www.getmyip.org 208.78.70.70:80 US:67.15.94.80:80 US:75.126.138.202:80 EU:78.40.35.134:80 |
445 | pcap | raw alerts ruleset |
http 1 line |
Yeah : 0.8 profile |
none | summary tarball |
2 of 37 | fcb4920986 NEW |
none[3] | none:none |
UPX| | none | trace |